Security News

A patch for the popular WordPress plugin called Contact Form 7 was released Thursday. The patch comes in the form of a 5.3.2 version update to the Contact Form 7 plugin.

The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch. The vulnerable plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there.

Millions of malicious scans are rolling across the internet, looking for known vulnerabilities in the Epsilon Framework for building WordPress themes, according to researchers. "The security flaws on WordPress websites in themes using the Epsilon Framework are just another example of this content management system's inherent security risks," said Ameet Naik, security evangelist at PerimeterX, via email.

Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers. "So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses," Wordfence QA engineer and threat analyst Ram Gall said.

"The Ultimate Member plugin is designed to provide administrators with features for user registration and account creation. The disclosed vulnerabilities included unauthenticated privilege escalation by sending arbitrary data in the user meta keys during registration or supplying an incorrect role parameter exposed by a lack of user input filtering. The third disclosed vulnerability involves gaining authenticated privilege escalation by abusing the profile update feature, where attackers can assign secondary admin roles to users without appropriate checks." "An attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges," according to Wordfence.

Admins of WordPress sites who use the Ultimate Member plugin are urged to update it to the latest version to block attacks attempting to exploit multiple critical and easy to exploit vulnerabilities that could lead to site takeovers. In a report published earlier today by Wordfence's Threat Intelligence team, threat analyst Chloe Chamberland said that the three security flaws disclosed by Wordfence could have allowed attackers to escalate their privileges to admin ones and fully take over any WordPress site using a vulnerable Ultimate Member installation.

A security vulnerability in the Welcart e-Commerce plugin opens up websites to code injection. Welcart e-Commerce is a free WordPress plugin that has more than 20,000 installations - it enjoys top market share in Japan, according to WordPress.

The day after WordPress pushed out a critical 5.5.2 security update, patching a remote code execution bug and nine additional flaws, it was forced push out a second update and then a third 5.5.3 update. The hiccup is tied to the WordPress auto-update feature that accidentally started sending 455 million websites a WordPress update that caused new WordPress installs to fail.

The update patches a high-severity bug, which could allow a remote unauthenticated attacker to take over a targeted website via a narrowly tailored denial-of-service attack. Of the ten security bugs patched by WordPress a standout flaw, rated high-severity, could be exploited to allow an unauthenticated attacker to execute remote code on systems hosting the vulnerable website.

Two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, opens the door to site takeovers, according to researchers. The upshot is that attackers could use the malicious JavaScript to add a malicious administrator, add a backdoor to plugin or theme files, or steal the administrator's session information - all of which are paths to complete takeover of a site.